Categories

Category MDJ

All you do is stare a blank sheet of paper until drops of blood form on your forehead. —Gene Fowler

Repeating that this hasn’t been easy doesn’t make it any easier on you or on us, but we implore you for just a bit more patience. We’re essentially rebooting the entire operation and we’re almost to the login screen. We’ll make it a better metaphor within the week.

Of course, a Security Update arrived while we were trying to write about Security Updates. That’s just how that works.

As of tonight, we believe we’ve fixed the MDJ and MWJ secure RSS feed generators to fix two problems:

We’re now using ditto to create the “.zip” archives, so they should unzip correctly on just about any Mac OS X system you care to try, and

If the previous issue of MWJ was published more than week ago (when the feeds are built), it should automatically include all issues of MDJ published since that issue of MWJ (except those in the last 48 hours, as we originally noted back when we formulated this policy). When the next issue of MWJ arrives, the MDJ issues will vanish from the feed.

With any luck, now that this code is completed, it won’t run again for weeks or months. We could live with that version of “that’s just how that works.”

MDJ 2006.12.18 is now in distribution – and we’ve verified that the “.zip” file in the secure RSS feed both downloads and decompresses properly. The setext version has a proper digital signature, too.

If MWJ is not out by Tuesday night, MDJ 2006.12.18 will appear in the secure MWJ RSS feed. We still have to do that by hand, but after last week, we think we remember all the steps. After that, MWJ should return to a normal weekend schedule through the end of February, with one weekend off (though we don’t know which one yet).

We had some problems trying to get Adobe Acrobat 8 Pro to digitally certify today’s issue (MDJ 2006.11.20) – the program did it just fine, but intead of growing the file size by 5% or so, it bloated it by 44%. We don’t need to add 44% to the size of a single issue for a digital signature, so we signed it in Acrobat 7.

Unfortunately, in the confusion, we kind of forgot to digitally sign the setext version of MDJ 2006.11.20 at all. Sorry about that – little things are still falling through the cracks, but we’re working on it.

[Note: This item was originally posted on September 28, but for some reason, it keeps vanishing. Restoring it occasionally bumps it to the top of the home page, but unless you see an “Update:” at the top or bottom, there’s nothing new for those who’ve already read it. Sorry for any inconvenience.]

We’re all extremely grateful for the E-mails and other things that have poured in since Matt first discussed his diagnosis of heart failure, and the new batch that came in today after it was disclosed in MDJ 2006.09.28. Many people have asked if they can do anything, no matter how small, and after reading today’s E-mail, there is one thing everyone can do that would help us tremendously.

Stop using StuffIt 7 or 8. Seriously.

We’ve distributed the PDF versions of MDJ and MWJ as binhexed StuffIt archives for over ten years, because until the days of Mac OS X, that was the best way to save bandwidth while preserving the "PDF " file type and "CARO" creator type necessary to allow double-clicking the issue files. In the past couple of years, readers have requested a switch to Zip archives because they’re easier to decode on other platforms. We would have preferred switching to StuffIt X because, frankly, it makes smaller files, and we’re all about saving bandwidth – but the free StuffIt Expander for Linux can’t decode these files, and a few people do process their E-mail on Linux boxes, so we’ve resisted the temptation.

But for some reason we don’t really understand, a lot of people seem to have stopped paying attention to StuffIt when Apple stopped bundling it. StuffIt 7 was released over three and a half years ago, and a lot has changed on Mac OS X since then. That was pre-Safari, for pete’s sake. StuffIt 9 (released two full years ago, before Tiger) added important new decompression algorithms to keep up with the latest in Zip technology, as well as to support new StuffIt features.

We know that Aladdin/Allume/Smith Micro has not always made upgrading StuffIt easy, especially if you want a new Expander while keeping the functionality of an older paid version. Some versions of Expander installed a “replacement” StuffIt framework that made older paid versions stop working. Even today, Smith Micro requires you to provide your E-mail address to get a link to the StuffIt Expander download page, and notes that by doing so and clicking the links, you are signing up for an opt-out mailing list about new products. We’re glad that you’re no longer forced to download the entire “StuffIt Standard” product and install it for evaluation just to get Expander at all. Even so, this is the kind of behavior that has dropped Expander from a “must-have” to “must-tolerate” product.

Nonetheless, if you use StuffIt Expander, you are well advised to use a current version. If you’re unwilling to try the brand new Expander 11.0, the same download page offers Expander 10.0.2. If you have multiple versions already, we advise that no one use any version of StuffIt Expander older than version 9.0.2. Version 9.0.1 and earlier simply cannot expand all modern StuffIt and Zip archives. If you’re not using at least version 9.0.2, you need to update, or alternately, accept that there are archives in the wild that you cannot decompress – and some of them may come from us.

Paying for StuffIt is no longer a no-brainer (we hope to take a full look at version 11 in an upcoming issue of MDJ and MWJ), but that doesn’t obviate the need to stay up-to-date if you do use the free StuffIt Expander. We try to stay up-to-date on lots of tools to get the smallest files possible, and we simply cannot guarantee that we can create files that old utilities know how to decompress. It’s more of a pain than it should be, but one of the best ways you can help us deliver issues to you is to have a current (i.e., 9.0.2 or later) version of StuffIt Expander.

We hope to make Zip archives that either the command-line or the Finder can decompress, but even that may require current versions of those programs (i.e., Tiger or later). The best way to make sure you can decompress anything that anyone creates is to use StuffIt Expander 9.0.2 or later. Just that simple change would probably drop our support E-mail by 25% per month, believe it or not.

Oh, and if you’re unhappy with current StuffIt offerings or practices, tell Smith Micro. Be specific about what you don’t like and what you’d like to see instead. We know they want to hear from you.

We’ve installed StuffIt Deluxe 11 on the production system, and in preparing MDJ 2006.09.28 for distribution, we noticed that the new version no longer creates classic StuffIt (“.sit”) archives, the kind we’ve used since 1996 in distributing PDF files. This gives us a chance to start converting to ZIP compression as so many of you have requested.

Unfortunately, our distribution software was not expecting this, so we Zipped the issue and wrapped it in Binhex so the MIME type would still be correct. However, the enclosed file is not named “MDJ_20060928.pdf.sit”, but rather “Archive.zip”. This may affect some of your mail clients or automatic issue receiving scripts, for which we apologize. This is likely not the final word on Zip-based distribution, but we thought we should warn you of the change.

Update: We are getting reports from people who cannot unzip the archive in today’s E-mail delivery. If that happens to you, try the version in the secure RSS feed for your subscription – we’ve also heard that it works just fine, even though the two files were created by the same program (DropStuff 11). The file length on Archive.zip, once the binhex encoding has been removed, should be 159,666 bytes. The file length for MDJ_20060928.pdf.zip in the RSS feed should be 160,165 bytes. We’re not sure what difference the extra 499 bytes make, but obviously, we’ll attempt to fix E-mail delivery before our next issue.

I last got MDJ or MWJ on such-and-such a date. Has there been an issue published since then?

Our status page lists the current issues of both MDJ and MWJ, including issue sizes, and when distribution began – and it’s been there (and up-to-date) for more than five years. Unless your or our Internet connection is down, this information is always instantly available to you.

As of this summer, subscribers can also get the same information in their secure RSS feeds. We sent this information to all current subscribers in June, and it’s been part of the “Welcome to MDJ” (or ‘MWJ’) letter for all subscribers since then. See here for more information about how difficult it’s proven to be to tell people about this.

Have you published anything since then?

We published over 30 pages of on-the-spot information from WWDC 2006 right here, available to all MDJ and MWJ subscribers. See here for our attempts to tell people about this and how they seem to not have worked very well. We’ve also provided a few updates on this news blog, including an article on why E-mail is broken, and why we can’t use it to tell you things the way we’d like. It’s not a standard “issue,” but it’s still a significant amount of material that some of you didn’t seem to know about.

We’re sorry if we haven’t made this very clear somehow, but due to problems with the ventilation in our office, working here this summer has made staff members seriously ill. We’re talking emergency rooms, chest X-rays, heavy-duty prescriptions for weeks on end, significant respiratory distress, inability to sleep due to breathing problems, extensive coughing fits, multiple doctor visits – seriously ill.

We haven’t been trying to emphasize this because, honestly, there’s really nothing more boring than stories about how other people are sick, is there? But from the questions we’re getting, we apparently need to make clearer that the fungus in our office this summer is not like a day of a hay fever attack – it was a continuous, slow-to-build, undiscovered source of poison in the air we breathe. At this point, we’re basically just extremely lucky that more staff members didn’t get even more ill than they did.

The most distressing thing about it is that when it was just getting started in June and July, and we had no idea what was going on or how serious it was, we kept spending more time in the office trying not to fall behind. The symptoms were of allergy attacks (not infections), and it seemed perfectly reasonable to go slow in front of a computer instead of at home on bedrest, so we kept trying to get more work done – and every moment we tried, we were getting even more seriously ill and had no idea.

This does not heal instantly. We’ve had the ventilation fixed for nearly a week, but the staffers who work here are still having severe coughing fits and other symptoms of the toxins clearing out. (This is similar to what Matt experienced near the end of WWDC, he says – after a week away from the bad ventilation, he felt like he was getting worse, but now he realizes his lungs were just trying to expel the last of the nastiness.)

It really has been a nasty episode, and we’re still amazed that we managed to get MDJ 2006.08.30 out the door (now available to all MWJ subscribers in their RSS feeds). We’re hoping to get on a regular schedule next week, and we’re planning to spend time away from the studio Friday and Saturday to help make sure things are on track. (That is, if being outside for a long spell and then coming back to the studio makes us feel worse, it’s a good sign something is still wrong. We have felt significantly better this week, but a sanity check seems like an excellent idea. We have follow-up doctor appointments this month as well.

There’s really only one thing we want to do more than get back to a June-style schedule around here – we hope you miss us for the same reasons we miss providing the high-quality information and reality check you expect from MDJ and MWJ. That one thing we want more? Unobstructed, regular, oxygen-rich breathing. Once that happens, the rest should be a cinch.

But how come I haven’t seen any traffic on the MacJournals-Talk (or, as some still call it, MWJ-Talk) mailing list?

The discussion list has been unavailable for months due to abuses of the honor system, and with everything else going on, we have not had the time to try to complete the work tying it to the subscription database. If you didn’t know this, please let us know how we could have communicated it better other than trying to send E-mail to everyone, which has its own set of problems (again, see here for more information on those problems – basically, even if we put important news in the very front of an issue, a lot of people just don’t see it, and then ask us months later what’s going on). We’d really like to know how to do this better.

And, for all we know, that may be exactly what happens. But, we asked ourselves, didn’t we go through some similar readings of the tea leaves not too long ago in an incredibly similar situation? Why, yes! Yes, we did. From MDJ 2006.03.15:

On 2006.02.28, Apple held a “media event” for reporters to “see some fun new products.” Even though that’s all the invitation promised, speculation immediately began that Apple was about to introduce everything from Intel-powered iBooks to the mythical “touch-screen video iPod,” inexplicably referred to by some as the “true video iPod.” Some people even obsessed over the iCal-style illustration on the invitation, wondering what it meant. (It meant “28 February 2006.”)

In other words, “Apple watchers” turned Apple’s simple media invitation to a product announcement on its own R&D Campus (not at Moscone Center, not at Flint Center, not at a trade show) into huge expectations for the reinvention of all forms of computing and entertainment. Then, when Apple did exactly what it said it would do and announced two “fun” products – the Mac Mini (Early 2006) with better entertainment features and the iPod Hi-Fi speaker system, these same “Apple watchers” were “disappointed” that Apple did not meet the expectations for products they had made up out of whole cloth.

We have no insight as to what Apple intends to announce in six days – but neither do any of these people trying to discern answers from the design of the invitation, especially given how far off they were last time. We’re just saying.

Given the secrecy, duplicity, and inconsistency that has marked Maynor and Ellch’s presentation, starting with going to the press to take on that Mac user “aura of smugness” before Black Hat and continuing through the next month, there are only two easy ways for the pair’s credibility to be restored. One would be for Apple to release a patch for the problem they found, describing it and fixing it so that everyone would be free to talk about it. That, of course, presumes the bug exists and affects Apple’s hardware, not just third-party drivers.

The other way is trivial. Maynor or Ellch (or both) need to perform their demonstration attack not in front of people like Krebs who don’t know the platform well, but in front of recognized Macintosh security and networking experts who do. We’d nominate Glenn Fleishman, but Alan Oppenheimer at Open Door Networks or Macworld Labs would be just fine, too.

The task is simple: Maynor or Ellch would bring whatever tools they wanted to use for their attack, but the target machine would be a stock, unmodified, black MacBook computer (though extra RAM might be allowable), with AirPort turned on and a valid network available if the researchers need it. They would then be free to do whatever they wanted to attack the MacBook except physically touch it.

If they can repeat the demo feat of logging into the MacBook, with or without root privileges, and create and delete files on the desktop, they are redeemed. If they can’t do it in, say, two hours, then they withdraw their claims about MacBook vulnerabilities and apologize to everyone involved. The experts who monitor the test would have to agree not to divulge details about how the vulnerability works, of course, but that’s a small thing – if the vulnerability is real, Mac experts won’t want it in the wild any more than Maynor and Ellch would.

Less than two days later, John Gruber took this upon himself!

I’m issuing the following challenge to David Maynor and Jon Ellch:

If you can hijack a brand-new MacBook out of the box, it’s yours to keep.

Gruber’s version of the challenge doesn’t allow extra RAM in the MacBook, nor does it require a black MacBook as seen in the demo, or stipulate the presence of known Macintosh security experts like Fleishman, Oppenheimer, or the Macworld Labs folks. Still, if either Maynor or Ellch demanded these things, we suspect Gruber might acquiesce – and you have to admire him stepping up and putting his own money at risk for it.

Third-party monitors might make Maynor and Ellch feel like they’re not being railroaded, but if Gruber wants to pay for the MacBook, we say he has the right to watch the attack succeed or fail – provided no one tries to snoop on the network packets as Maynor and Ellch have always said they feared.

But especially now, with a stock machine ready for the demonstration any time this week that they want, Maynor and Ellch either need to put up or shut up. Either they can compromise a MacBook’s internal AirPort Extreme hardware with no additional user requirements, or they can’t and have just enjoyed the attention from almost publicly claiming that they could. They need to do it and be revered, or note the end of their 15 minutes and go away.

If the duo will not demonstrate this attack under controlled conditions now, a full month after demoing it at Black Hat, no reasonable person should be expected to believe the vulnerability ever existed.

(MWJ subscribers: This issue of MDJ is now in your MWJ RSS feed per our previous policy of providing MDJ issues when MWJ is delayed – enjoy!)

MDJ 2006.08.04 is in distribution and MWJ 2006.08.05 have both been distributed: double or triple size, figures and tables, even a sidebar. It’s a festival on your screen! We’ll update you from San Francisco this weekend.

Part of the original item from Wednesday:

With this heat wave now having affected almost all of the United States, we appreciate that everyone seems to understand what working with sub-optimal cooling is like. According to Weather Underground, we’ve had temperatures of 100°F or more for 18 of the past 23 days, a bad time to be without good cooling. (It’s still not perfect, but it’s functional – slightly distressing, because the current system was installed brand new while we were away from the building for WWDC 2001!)

We’ll replace this item with further updates on our pre-WWDC issues as they transpire.

Under construction

Our new WordPress-based site is not using our new fonts yet, because while we love this theme, adapting it to use any other typeface is like navigating a CSS minefield. Appearance here will change in the next several weeks.